Bug 1444371 (CVE-2017-7980) - CVE-2017-7980 Qemu: display: cirrus: OOB r/w access issues in bitblt routines
Summary: CVE-2017-7980 Qemu: display: cirrus: OOB r/w access issues in bitblt routines
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-7980
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1444372 1444373 1444377 1444378 1444379 1444380 1444382 1444383 1444384 1444385 1444387 1444388 1444390 1444391 1444392 1444393 1444394 1445559
Blocks: 1432498
TreeView+ depends on / blocked
 
Reported: 2017-04-21 08:59 UTC by Prasad Pandit
Modified: 2021-02-17 02:14 UTC (History)
39 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
An out-of-bounds r/w access issue was found in QEMU's Cirrus CLGD 54xx VGA Emulator support. The vulnerability could occur while copying VGA data via various bitblt functions. A privileged user inside a guest could use this flaw to crash the QEMU process or, potentially, execute arbitrary code on the host with privileges of the QEMU process.
Clone Of:
Environment:
Last Closed: 2019-06-08 03:10:57 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:1205 0 normal SHIPPED_LIVE Important: qemu-kvm-rhev security update 2017-05-09 15:07:02 UTC
Red Hat Product Errata RHSA-2017:1206 0 normal SHIPPED_LIVE Important: qemu-kvm security update 2017-05-09 16:29:49 UTC
Red Hat Product Errata RHSA-2017:1430 0 normal SHIPPED_LIVE Important: qemu-kvm security and bug fix update 2017-06-13 11:26:41 UTC
Red Hat Product Errata RHSA-2017:1441 0 normal SHIPPED_LIVE Important: qemu-kvm-rhev security and bug fix update 2017-06-14 19:20:20 UTC

Description Prasad Pandit 2017-04-21 08:59:32 UTC
Quick emulator(Qemu) built with the Cirrus CLGD 54xx VGA Emulator support is
vulnerable to an out-of-bounds r/w access issues. It could occur while copying
VGA data via various bitblt functions.

A privileged user inside guest could use this flaw to crash the Qemu process
resulting in DoS OR potentially execute arbitrary code on a host with
privileges of Qemu process on the host.

Upstream patches:
-----------------
  -> http://git.qemu.org/?p=qemu.git;a=commitdiff;h=026aeffcb4752054830ba203020ed6eb05bcaba8
  -> http://git.qemu.org/?p=qemu.git;a=commitdiff;h=ffaf857778286ca54e3804432a2369a279e73aa7

Reference:
----------
  -> http://www.openwall.com/lists/oss-security/2017/04/21/1

Comment 1 Prasad Pandit 2017-04-21 09:00:09 UTC
Acknowledgments:

Name: Jiangxin (PSIRT Huawei Inc.), Li Qiang (Qihoo 360 Gear Team)

Comment 2 Prasad Pandit 2017-04-21 09:02:18 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1444373]

Comment 3 Prasad Pandit 2017-04-21 09:02:41 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1444372]

Comment 9 errata-xmlrpc 2017-05-09 11:09:17 UTC
This issue has been addressed in the following products:

  RHEV 3.X Hypervisor and Agents for RHEL-6

Via RHSA-2017:1205 https://access.redhat.com/errata/RHSA-2017:1205

Comment 10 errata-xmlrpc 2017-05-09 12:48:54 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:1206 https://access.redhat.com/errata/RHSA-2017:1206

Comment 19 errata-xmlrpc 2017-06-13 07:27:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:1430 https://access.redhat.com/errata/RHSA-2017:1430

Comment 20 errata-xmlrpc 2017-06-14 15:35:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6

Via RHSA-2017:1441 https://access.redhat.com/errata/RHSA-2017:1441

Comment 21 Fedora Update System 2017-07-25 21:24:47 UTC
qemu-2.7.1-7.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.